dovecot -- security hole in blocking passdbs

Details

VuXML ID

b39bdc06-ee42-11dc-8678-00a0cce0781e

Discovery

2008-03-09

Entry

2008-03-10

Dovecot reports:

Security hole in blocking passdbs (MySQL always. PAM, passwd
and shadow if blocking=yes) where user could specify extra
fields in the password. The main problem here is when specifying
"skip_password_check" introduced in v1.0.11 for fixing master user
logins, allowing the user to log in as anyone without a valid
password.